Threat Hunting: Search, Contain, and Destroy Cyberthreats with Druva

Incident Response and Cyber Recovery

Security investments by enterprises are at an all-time high because of incidents like breaches and ransomware. While it is not possible to completely eliminate cyber attacks, organizations can mitigate their risk by ensuring their backup system is fully secure, protects data, and enables fast, clean recovery to minimize downtime and prevent data loss. 

Critical to your cyber resiliency strategy is a well-tested incident response and cyber recovery playbook, which typically follows the workflow:

IR and remediation efforts fall under two broad categories:

“Peacetime Activities” — Hunting for Undetected Threats

Mature, at-scale security teams have “peacetime” programs around threat hunting. This is typically to “hunt” for undetected threats that might have penetrated cyber defenses and have a presence in the enterprise. Finding and confirming threats as part of these threat hunts initiate the incident response process to drive the attacker out, contain the incident, and then initiate remediation and recovery operations.

“Wartime Activities” — Following an Incident, Determining Scope, Impact, and Timeline

During the course of regular security operations, if incidents are confirmed, the team will determine the initial intrusion vector, timeline, and scope of infection during the investigation and response. These are dependencies for subsequent actions around containment, remediation, and recovery.

Gaps in the Process

For both peace and wartime actions, security and IR teams typically use primary security tools like SIEM and EDR to search for indicators of compromise (IoCs) and indicators of attack (IoAs). These could include static file attributes (filenames, file hashes, etc.) and behavioral attributes (process, name, etc.). However, security teams might not have all the data available or might need additional information to assess the situation properly. 

Fortunately, backups contain this data across an extended timeline and your enterprise fleet (edge, data center, public cloud, and SaaS apps). What if enterprises could access this rich historical archive for more than just recovery, utilize it to search for threats, and take action?

Filling the Gaps in Response — Threat Hunting with Druva 

That’s where Druva comes in — we take a comprehensive approach that allows customers to search and take action on threats in their backed-up data. Let’s look at where the security team can investigate threats as part of a wartime or peacetime scenario in their end-user data distributed across edge devices (Win/Mac) or SaaS collaboration apps (Microsoft 365/Google Workspace). 

1. Search

Your security team can search for specific static file IoCs. Backups can complement security tools to allow the customer to determine the infection, scope, and timeline, and help initiate the next steps of containment, cleanup, and recovery. Druva’s Federated Search is a powerful tool that leverages metadata of backups. This Federated Search capability is critical to enabling the location of sensitive or malicious data that is backed up by users and offers unique insights that go beyond the raw data itself. Admins can search for data based on the following criteria:

• Creation date and time

• Author or owner

• File size and type

• Hash values

• Email metadata (subject, recipients, attachment info)

Search based on this metadata provides matching results across historical backups. These offer an indication of which snapshots contain potential infections and the overall timeline of the attack. Admins can take subsequent containment, remediation, and recovery actions based on this information. 

Search for files based on metadata across edge and SaaS backups (files, emails)

2. Contain

Admins typically seek to take containment actions upon analyzing results — Druva offers powerful capabilities to contain the infected files (at a file and snapshot level) and prevent restores of infected files that would lead to reinfection in the customer’s primary environment.

Quarantine potentially infected files to prevent re-infections

3. Destroy

Once investigation has completed, admins can take action on the search results. Specific files/snapshots can be released from quarantine and deletion of these files/snapshots can be performed as part of remediation/cleanup. 

Druva’s defensible delete feature allows customers to delete particular files from backups and the primary asset (if the file is present). Additionally, Druva provides convenient reports that can be submitted to auditors and cyber insurance, ensuring compliance with the overall security process. 

Defensible deletion removes infected files from backups

Strengthen Your Security with Druva

Druva is the industry’s first and only at-scale 100% SaaS-based cloud data protection solution. It eliminates complex infrastructure and delivers data resilience via a single platform to simplify management, backup, and recovery across workloads. Customers get access to Threat Hunting capabilities included with their security coverage and strengthen their incident response by:

• Searching for threats across an extended timeline of backups and the entire end-user data — endpoint devices and apps like Microsoft 365 and Google Workspace

• Locating and quarantining threats to prevent restore of compromised data and eliminate reinfection risks from backups

• Destroying threats from backups and primary environments with defensible deletion

As a result, customers receive the following key benefits:

• Complement tools across the security stack, including incident investigation 

• Reduce incident response time by offering built-in containment and remediation tools 

• Eliminate reinfection risks with containment and remediation capabilities

• Consolidate searching for threats based on at-rest file metadata across extended timelines and the full enterprise

Next Steps

See how Druva’s security features bolster your defense against ransomware and today’s data threats. Try our 100% SaaS data protection for yourself free for 30 days — no credit card info required!